18fc960a289b23e824adc309e21a6730dafdea3a1d41f7a9ca0a50c081866a06

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 01:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
Size

986KB
MD5

bfde75690e63872b642a6a5340aca823
SHA1

1bd75f06d193e716ffa8278e88a827a36d628395
SHA256

18fc960a289b23e824adc309e21a6730dafdea3a1d41f7a9ca0a50c081866a06
SHA512

09f8119ae612af30cf63d7cd2996ec3db2b1931dc5d1c2f0ce9c8744607447c0fb8b3db7b88ffeed99fb9b2c5244bb74dce3a7ae03c93ae37048d70942f1d74f
SSDEEP

24576:3KOaAynmwepBSqNns0YbBBac2izvqflxA7x9Ft6qJBgiqU:fCnmwepdNnsNbmctvCCzYzbU

Score

7^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2880	lmi_rescue.exe
2720	LMI_Rescue_srv.exe

Loads dropped DLL 2 IoCs

pid	Process
1760	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
2880	lmi_rescue.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*LogMeInRescue_1677182614 = "\"C:\\Windows\\LMIB4DE.tmp\\lmi_rescue.exe\" -runonce reboot"	lmi_rescue.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lmi_rescue.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LMI_Rescue_srv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lmi_rescue.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	LMI_Rescue_srv.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LMIB4DE.tmp\params.txt	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
File created	C:\Windows\LMIB4DE.tmp\logo.bmp	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
File created	C:\Windows\LMIB4DE.tmp\rescue.ico	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
File opened for modification	C:\Windows\LMIB4DE.tmp\params.txt	lmi_rescue.exe
File created	C:\Windows\LMIB4DE.tmp\lmi_rescue.exe	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
File created	C:\Windows\LMIB4DE.tmp\ra64app.exe	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
File created	C:\Windows\LMIB4DE.tmp\LMI_Rescue_srv.exe	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
File opened for modification	C:\Windows\LMIB4DE.tmp\params.txt	LMI_Rescue_srv.exe
File created	C:\Windows\LMIB4DE.tmp\params.txt	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
File opened for modification	C:\Windows\LMIB4DE.tmp\rescue.log	lmi_rescue.exe
File opened for modification	C:\Windows\LMIB4DE.tmp\rescue.log	LMI_Rescue_srv.exe
File created	C:\Windows\LMIB4DE.tmp\rahook.dll	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
File opened for modification	C:\Windows\LMIB4DE.tmp\LMI_Rescue_srv.exe	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmi_rescue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LMI_Rescue_srv.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
2740	bcdedit.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	LMI_Rescue_srv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	LMI_Rescue_srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	LMI_Rescue_srv.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32\ = "C:\\Windows\\LMIB4DE.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\ = "Rescue Com library"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe\AppID = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32 = "LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS\ = "0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ = "IRescueSvc"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\ = "LogMeIn Rescue GUI"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32\ = "C:\\Windows\\LMIB4DE.tmp\\LMI_Rescue.exe"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue.exe\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib\ = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_4dfa75d9-3013-4d04-86ba-6e61489b0681"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\RunAs = "Interactive User"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\AppID = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR\ = "C:\\Windows\\LMIB4DE.tmp"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\ = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ = "IRescueUser"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe	LMI_Rescue_srv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMI_Rescue_srv.exe	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib\Version = "1.0"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\LocalService = "LMIRescue_4dfa75d9-3013-4d04-86ba-6e61489b0681"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid	LMI_Rescue_srv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}\ = "LMI_Rescue_srv.exe"	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}	LMI_Rescue_srv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32	LMI_Rescue_srv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	lmi_rescue.exe
2720	LMI_Rescue_srv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2880	lmi_rescue.exe
Token: SeCreateGlobalPrivilege	2720	LMI_Rescue_srv.exe
Token: SeCreateGlobalPrivilege	2720	LMI_Rescue_srv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2880	lmi_rescue.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2880	1760	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2880	1760	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2880	1760	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2880	1760	bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2740	2720	LMI_Rescue_srv.exe	32
PID 2720 wrote to memory of 2740	2720	LMI_Rescue_srv.exe	32
PID 2720 wrote to memory of 2740	2720	LMI_Rescue_srv.exe	32
PID 2720 wrote to memory of 2740	2720	LMI_Rescue_srv.exe	32

C:\Users\Admin\AppData\Local\Temp\bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfde75690e63872b642a6a5340aca823_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\LMIB4DE.tmp\lmi_rescue.exe
  "C:\Windows\LMIB4DE.tmp\lmi_rescue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2880

C:\Windows\LMIB4DE.tmp\LMI_Rescue_srv.exe
"C:\Windows\LMIB4DE.tmp\LMI_Rescue_srv.exe" -service -sid 4dfa75d9-3013-4d04-86ba-6e61489b0681
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe /deletevalue safeboot
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LMIB4DE.tmp\lmi_rescue.exe

Filesize
1.8MB

MD5
cff295d71f5c8134fc20c565c0711e71

SHA1
5d97d3b693d84ddaf2a7a6610e01e8130e91b63f

SHA256
e5cad8573bf455740f73ba5890a16bb10348f37379495514d40b4989054c11f2

SHA512
309ba8642cc96cd9b563ff2056f3f73f4faaae1d0a5e4b068df9ebdd09af902dfb727d76e0a35bb7b4434ca51dbf831dde1ff3a6d3a0cc8093eb9511057d4aa3

Download Submit
C:\Windows\LMIB4DE.tmp\logo.bmp

Filesize
7KB

MD5
4925bc92dac27cf1f12c26cf72002820

SHA1
14d36e8eb66ce3704cf347657adac7fc460178a6

SHA256
af1d81679b00a6c34b9c95d6919fa70d6d6d8ad2e6df3a466a6cff2a0cba6fc6

SHA512
d119d557afce5f5117877f404e3ed32d451148bfac03f46296c70b0f34eff7a55724555f9b1edd76d202b43eafcc74568ffdedd6e60cef07491d7afb603a19c9

Download Submit
C:\Windows\LMIB4DE.tmp\params.txt

Filesize
342B

MD5
f841cc46b30fd16033d5f1dde43c7e75

SHA1
a580abc0931810f9891faea79dac6325cba639b3

SHA256
856e97f14ecd98c04336b51a57ae2259f252fa1ebffab8e9c5d3dc2da6f4188d

SHA512
238485f63316f7e1a6ce388346cef4bf71eb29e3aae39efd25e2e0d54cd351f82e35bdc9c84962f17f1c42816ca2a6e94da730cae4ddccf2bb24f22632ab0f59

Download Submit
C:\Windows\LMIB4DE.tmp\params.txt

Filesize
393B

MD5
4e8219b92b1b334d51a730e8420badc0

SHA1
04734b99051783d9a31e11151f08e1fa70ebeaf4

SHA256
c20fa3e10c25329ae82d0ffc9c09a95fc3359149f9aeb394e1c72f7b1d22aad8

SHA512
511e685adc3a2b66ba041326bbe760f6731d9068d5a08e62760571f02db161c756df0dc220d614d7437141571441119bd871fb25cbf543b1ab8c4bfbf0c8c4e3

Download Submit
C:\Windows\LMIB4DE.tmp\ra64app.exe

Filesize
205KB

MD5
6448cf80dda9d048028dd8f73a5d7267

SHA1
ea061e8373b427a94ad3a558354b002db63a73eb

SHA256
1d41700f8b4cfd8fadabb5ef1b6c2b3058b1c9a1b8534afc3c61a4a76145816d

SHA512
93353c38717ecc271acca5a7c1df4b167a64ef71cc413821b6022c82b26a21469d7bb630e141946c75e044ccf759d2f5cb4b3d16466e7260df2536e16168d60c

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.ico

Filesize
48KB

MD5
51fa8f4746f1a481c5ea25931e99ed77

SHA1
76a78677e527a0564533d90ed16fe5d7da8102e2

SHA256
ad3ec59a6f04578dc4dd9b85dbb2552019fb509201524c6cb8d06fea73da62d7

SHA512
c7a3a40ec447800297138c8ae35739c080388654f1afeb3a2c55080477615efbce94f05a3683f3f5528e9eb8e0ab5477be3f396a7b32e21cfd73b39e68197b29

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
12KB

MD5
199316765fd5caa859048ddb1e0f4c49

SHA1
cd5fe43f9d798081f44d199addd6a5ebf335b902

SHA256
1b3192c4f4c9c5b6c78c6911ee02ee124eaec7724eb45d84e7f32a0c4a68589e

SHA512
e11bd473ddc7f9800a56428073c256ee479fad173d4ede5752a0b6503c31a306ac95c23c48f0b2b203c3c320dbab39c535bcd758f5cc783b344b2914398689e1

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
13KB

MD5
ad38ea55019fca5e04d0c324979bc399

SHA1
524955119623dad5b0cf378145618df206c78158

SHA256
9589e14c7d37894e2283001270fc112026565daf87554aec8688eb0adc0b78b3

SHA512
9c6686c8d26e82d8064399b0fc2b16da69bed94bbd5438ba5523768d130afd8aad95a0efdfd419a1dfa3860ebed6362aa27279691f4194f1b3e8ecadafb33aaf

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
13KB

MD5
c3347df2485d8113ab7ca9afca9c1801

SHA1
84302df2314fc6d0ad4304c51b3181c65484ed76

SHA256
8e3223a65a3076c603e78900a633bc0c2773eb94825a848dc6c7cf1195cb3a58

SHA512
73612ddeff8a09acd6b79caf879ec1c5dee8c351cdcd060c1ddf3836c577a0f0e318bc1c84835515a54744ba2bd27815fa2f1ff876bdaa9b56a2461e50d12632

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
15KB

MD5
6d0b967f7a74e582845218d6c41e1d42

SHA1
465a41fa1ec4fab5766ad0f98e9d29d526e2e542

SHA256
05517a9d6099fb62e4a7522046dc9317ccf8ee14689951ee3c2b9d77c23a6f56

SHA512
6ba12c22b6883f85a008ef5a2561df0812da6aea33d81d7017ac3476d07542cca54e2a797a2b0fdc5c5c10783a2da1fc325dd8111124d2f7ccca251bd687a8ec

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
15KB

MD5
96ad09baf447edc534156e8f7c743775

SHA1
9d55f1725f9ceeaed8217f758f4b30a52b120cf7

SHA256
3751c554345bcaa2b8b0081001503be9acdabb2b160617ab1687233997613fa4

SHA512
08d5eb762865f1da12d8adf9aedf8931cc55ff9d68656bbb81af4345ab7294d2210beabe2fbbcb9104cc14b9598ff5c1830da29b9a894d20d64c20ce9017cf60

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
16KB

MD5
2811ac091e7d98179529e41737a4a7dd

SHA1
7d3a7e0de31cbd52ad297fb03229e255185ac3c5

SHA256
41fde06aec5e8d6671265a5a1f3ad050f26ddb43ae70e9684cf8a4753068186e

SHA512
77266359da6dfa8955764fa07156d15cb27cad152c9c95111d01d545d0854703071eb7f57f0647143766fb221cdff8b4818edde9242b11c6fc4abc08b63cdd2c

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
16KB

MD5
eee89ab0ec8a16368c9ce498f489a705

SHA1
bc97c4446afc18f21608a3bd9d4a7f4a9d8ca173

SHA256
50a8c224c127b78c3677fad73c927d8cf3548261da7230994f80111c574a7c59

SHA512
c37b359c06b13ebb8dc072d91bc2381a81242d335d6c13a6db658788108a309f8eea0793f80afebb94652409d6e4213fb61c85fd4999ea4fd0402ae7942f048a

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
18KB

MD5
27129d1b9fd930e9f4b7ad96aea1e4a3

SHA1
d631251ab13e15913ca0f16424d7d7481a93242a

SHA256
7a926955cba820185a0b980a0d2d1ffc3d3b945c441dfa9ec60c3e8b3338827f

SHA512
79fce7a1958e2a7abe4d504b7e2891235eed2f051c11d3879af3583681d0be98e6298bd1758cb6b930b1155f950bf993d651109d0299e73e0d1e09f24bf70f86

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
18KB

MD5
430a78148f8530d0ca6658cb7617ea45

SHA1
fa541685dabfe26dfc00e63e867a32a399ccea25

SHA256
ecd7cebff9172df94d0b80d3508e0800cb008d1ab7d73e47af65f70b447a6328

SHA512
696cc8351c60485faa6ecd5e8a5bf7147d0d390c14e046c4b19d68ac4d589d81b109a677b1ed2647fc85c7b5a5707a9893de35457e4ad8a97509fb54e2c525fc

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
19KB

MD5
3811947b153407df0b8498197b7a2c33

SHA1
4eb871e3ba0b44bb40c12ced0dccc52d4d4f16c9

SHA256
d1e5c8c73ec66cacf7bc7094adbfbea56b8039c85b8f74dda928381c4c84a31e

SHA512
c5795e9eec51de350766fe3e64efd77e0f5393c410a31b0cd4c6d5a5466b5955c1892eff5883e31e449b8e5d1ab3fbabeb0b1ba3ba5edd99819e5fd543b5444e

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
19KB

MD5
69ab3d9e268e00d8e6714eff8aeb45a5

SHA1
19a6f824e1d6c05a20233694ce75e6e3920b18f1

SHA256
ebbf4313f6fd2625bb5818c18596e44cb3b7565755eeb0afbcad433c4c15a2c2

SHA512
7893becae55e5bd466c9864255b6b58177bddf80ee05a45a2d4333ce18287d3c9f10b59414f7c16d28b17c4b88aacaa10177b3ce57bdee535a414ba50c9d3fdf

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
21KB

MD5
3e1524e3ab9687b729bf63b98d6ee066

SHA1
73777bb25e301c026ccf68a98833bed2a783f6bc

SHA256
811ae44465e8259c0804680827850639e03e57f34525dd76b830d1151495ffc8

SHA512
9597e88491424b196f58267b10716db01c8349cb1bd5eb38414eacebf70720023592355d4a8b816f91d8a1affe2908f41bbecab68eaac5541809839f65c2c697

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
21KB

MD5
1e7f4d82e7a32604254a802ec0d3b24a

SHA1
239ded967dfef2f39198ce2313962da65e8170c6

SHA256
d9eb44d1c9625d839837f9b6f0ccb866480658b01c7849b49380814310971214

SHA512
8072d0e4ac379ad59b1926de3770368566874c3ed6017fd094d24d75a17844dd5358b5c075f78b56c1e9f61f639e745186a33d4e901ccae911d274b07fc14ef3

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
22KB

MD5
5196d491fdcbfee33e8c08ddd85bd5ef

SHA1
d6d7c6972f24c286bd1fc0402f322ec562335696

SHA256
d17b7469b18073b4b3f5957f797588ced9ecf85e121af5aba7a81ac5c064b78e

SHA512
ec836b9383cddc3e13a38a3d6e0b38956ba7aae5947d48742dde0acafb510ab576e5d64925083c87ddd8875e5cf2971baab0bbaa03a315357b67b91eab0d9e69

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
22KB

MD5
64bd03cb082dbbefb4091f24b1aefbd4

SHA1
b14ed8cfacc0548957505c9b1c75ac3ec2abed32

SHA256
56f5e4631757fccd38a8e708b0f26335f5631e7cf7ed59eb08764297fcc941f4

SHA512
bf9e0690dda9c11e6ce2d2136d2a1a96ef83f7a06230f355222f08fde52e55cc39293d977b5c7ba69d6c1655e5ebadf15b0d5120ab96a5f7ffb2e0b3fb3d6f2a

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
24KB

MD5
d56187467a722d4428c027d2f3b531c8

SHA1
a622d114c3ac65073d5df629142bff8e26701e13

SHA256
c0a78b1e239fc9adf9bfbbd527931ce0b55180db14c62d526af9cd85c3277fbd

SHA512
5b9061f90b8bbfcf2b2760bd690f07c854587bdc78396ae4092ba33a3a6c2b2eac9ff64954a966bbacf8e844a483312f63c1909649c54ea03f70f943b053d56c

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
24KB

MD5
7cbf886a6b6623c8ae151f39ac9213bd

SHA1
5d38f12c5d0d4c98b4910137266e29835a3274ee

SHA256
e4d17a96e9ddd518c252c7f18d86d2137942c8c42267aa6e74e2ab429f3bb281

SHA512
133b9b0baeefee79889c8ad5665148356dc768234bcd88d189fb069cfc1a37cad2ec5990479686d1fde1a7f85d1df0c18b9eb5eee4c21d7bc9dea9e67c6803b5

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
25KB

MD5
4745c950bc4ae31242cfdf994490db02

SHA1
7293815de60b2936d9012f8ba979516aa1ceb046

SHA256
4a209be562a8641125ab0b4416e3e594742f3abe8d8fa5de7c3054c9ceab908e

SHA512
a41b448a91e34350f79e578eb1fa7433a59b544b4778f4b703eb15c2a126d1eadfccf4d6cff10610c1b2a6fed5bfcf9ddc7fa8b362b9d2cfe4f85be35a40f28a

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
25KB

MD5
d2feba3a57ce785a25bf1e7c1a5eb272

SHA1
0e13565ad52f14c141d56a2e13d1358b2528442d

SHA256
2d8cd2845bb96e58d7729a7b04f0e730206be8bca88ac8b2019430ad57a9cbd3

SHA512
a835974debaa1116f8112de5fa9dae84376808ee7acf5fc7911fb8cbcd8062495e29fdabc3b99f0c2c6e7c31ceaffce16dbf7eaba4c57a30801d49c82bb3d31e

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
27KB

MD5
c00d4de1fe376c977933700f3c04e513

SHA1
315dbf1d3daae0fb233c7e591a6c3135d00223bc

SHA256
0cb1da6620d0703cd8b9222328b474ee276332cd0f86d5dffac6d77b9fc57e8e

SHA512
89f91f0337cac2d334fab572d84e69d98e576ef71b385a4e1c59122e4294809d209525b5b87eb49cf4e412f43adceebf07f5681ba98920cba145bf45bd9db1ce

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
27KB

MD5
1cb9c615ba8b7408d53a7de5a4eeffe3

SHA1
8ff3014b1a3b6abb9f80fc54a861d08f730f5d8a

SHA256
9ed1e6082124a2f8eddfc8c003d5a5d74f61a2430434ae2de5dda37fa1b2a7bb

SHA512
0f175bd65dbb4e99247fee75f18e8fc9347350056ca09fabc93914d6a47b3bd7f1b916966f1e61be8dc48509de0322b67ef2284cf4e83a538cb931d6a08efc24

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
27KB

MD5
b8b38242dc2d985c5f05486b9827ef36

SHA1
2b3f2afd688fee885705adee4b35f325c712b36b

SHA256
54085dae3868496da49a5bcca9df9e848bcd1dea598747386de3ef066ba20fca

SHA512
833f13be631be60a47a47d0aa3d69b8ff59f37ffd3bf5edb03df645bd24b28335d235e6db94d0660d1d5786004157d41c435d8b01a711fc6a914432db8dd5f1c

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
28KB

MD5
aa299b940bc7df0ad0374cb4c3534743

SHA1
a9609d9f88df5ed97e382a71a3c412554da846bc

SHA256
5a251ae99ae27141be59e234e5f5da9be7d940a5951aab37c9580010a0af0f8b

SHA512
086d426a78798b4c7d2c65ff921535fcc3b72e5ff5658e41d4720550fa21d11bbd1c0758f67bd10453daa7ddd7fa3cc52096750a9da22cb6afb763a5afb2b186

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
30KB

MD5
fd220222c9def1c2a5af728a46108b4b

SHA1
edf309f081cb9d979a4babea2bb5ca6914b83845

SHA256
bcb800edf155ac8f75946d1d7ddef211fef43b57193f37ecaaef1306eb210662

SHA512
12bf067ba1129f961d7bd514ffb45834471129265f43b45136dfbfe0d760fb78d14827cf39cb32c11cc99707d79afb3ea9f5b9223c3150e70c707296bf60e304

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
30KB

MD5
df429f05d70ab2944573e736f091ae3a

SHA1
369d8e245605030d380e014efdf07280a335152b

SHA256
51c4bec06320e1e9c77b4200968345eb4873560e5b0fb1619785c3e563ddeae1

SHA512
7927045322d7e77817fcfe70e6f9ecd392539fa8b3e9171e646790d523ecadba75f4291f0bf2dafa455df16e4ee7a377b7dd5dc562ce8f37dd7b1808c6c49690

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
30KB

MD5
813ff19c8e06a0848473d5c924c1f265

SHA1
0be12d1faa1e88b1708ba720aefb47dd5953199b

SHA256
ef44b5d7c943b36d0ce2460866cb98c643f06d43edb261cc7d26dd2a888aad8f

SHA512
63c19c41b172203537aebc155d0948c54247a8c5f1579102b9f14c4526cb42e015ac2a888624c9cec9ea927ff3460cd679c9bd916fa9901355062a0b163c7fde

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
30KB

MD5
24a91ee77be94f1d9f147beb84ea3198

SHA1
5e01bf28eceb93a25d4e6bb773db482b1d3ea4cb

SHA256
e8dddb8f78e4ee58c9ab58939d1a1bdeaab91b292113705a8cffbe91aef8aa01

SHA512
18b275e61ef668c1950d67646ee887f8cad482ff723ed09513c3489ec07d9a394a80d9a1982280163e592f198bea6915b213eabd08ebe374fdbc16b979b531cf

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
33KB

MD5
f0b72abee3a2db41af2c4ba80b9c2b8e

SHA1
557d9d59615870c4ee56c08068aeee95b77dce7e

SHA256
e8bfa009f1d5f8fb4b0e2977a082aaefaac777c059b01bc308789c76497c7edd

SHA512
7b22a409f4006fb4562a539d97885b2ff3be9b0dcf4a1077016d3f89ee358dac2f68a63c0a3082ae4549076c50a266738b9784e6a993940d3db5a3bce96ce526

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
33KB

MD5
46fe390d984f8309cc9908d32e2a7048

SHA1
dce252e6b32eff8c0c25b9956708ce447956cf65

SHA256
d9e6ea5a1e432e332078485a9eacea548970440bd65c98e0592e27589898d8b5

SHA512
e1cf0e351dc9c7a91e61356bca074b1b9ab7ddc34fe1d8cf8a7196c773316be50305cc64a6123f35cff1412eedb76756d180ee69dd730c0fae332b6ce680f139

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
33KB

MD5
a0b3d76ed4ae54fc333235ef0dad3d05

SHA1
fd41adcef31e4860d336ab9771144e38eef66481

SHA256
8077f7c5029404701424de356bc50925d9b8b6f84290ff4508084f79de8d1a7d

SHA512
1c61c89752b79b69355565a15f556b7b8022ceeb0f87ca474b499c1cb32dc24fb2fa8f741344f4c57a35953b1215d9a087ec36a4575fc4669cc08ebf38a79c72

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
33KB

MD5
bb69c02a5338fc0e46becdfddc46aca3

SHA1
bb1889eac325632c770aa4ee06524dc8e56ead4b

SHA256
f0468e8a5440c8d30dc9f0ee70b069da40182fb138c456695ca470dc20fc7721

SHA512
808883c9063650f434ca0208d51f5801ee42684797b5c0ece852499ca91331aebde16750fd4d7a0ec5586056d4c5bceddb875e81954220d960fbdfa0b27fac74

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
36KB

MD5
f724909bc78c6aac48e64be3a3d6ef29

SHA1
cd5cfe3c551a598e0edb8b0f384a0b3df127ad59

SHA256
aadb0f3142a67d388141d9b5cec49caa928d5738dcbdfc5fc8c16e77eb426090

SHA512
1927b97f9297ef6d37b8b1ab5eebc9133ddfb72dd29366127971f352093d8df0b91990e42711c8a03b810c3969ca240964d569a701cdeb3633dd177d1018890b

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
36KB

MD5
28c0cece386611b5de8a23b5abe7ca75

SHA1
a97ebc0185bcff732a658f40f800ad8b2150db8e

SHA256
19f875feca6e4dac6b835b5347437c353342bdcc210bc166cc14158857493903

SHA512
dc1b80394d1a49c38babd830a0bffac72fd076c1749b2ac8cb2f959b05e283ee1df95d52504ce01642d0a7a6faecb10bafe3756c678a887ee55b9c3e9e205f0b

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
36KB

MD5
9deb1b41f3ebbd9eceb6aa653f8e952c

SHA1
3b6f9374e32146b1fb136f02e08a7fcaf6e076a4

SHA256
03e6d3b18c8b9cad96f7b8e332917270bc5eef358751dae2d04089a9aec394be

SHA512
59299047c2084bfbaa75c70d1d888c609e5076f77a073405aed14aadb9ab7ce8cff90cdcbe8de273c5cdc6367b63ba74a50b53f3ee07cdad3a23cbee76390378

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
36KB

MD5
42eb0cd91ec2b6105ee2fa2926953ca1

SHA1
ae1b1b23991dc0d700df1d8202138c5767931f1f

SHA256
a9d15e2fca7c8263cca7d876914bc98e2941bfdc9410154c6a7d4005362c4767

SHA512
f9943dc903c1f381f730057426077e09815eab62814acb0b6538e4ccf01da3be52a0514b5c0712192a0c7f65d3a74dc8495b13ad19dd9a1a899e3e05c65dd50a

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
39KB

MD5
f16680d6b9a27982c5146d98dc5203bf

SHA1
1553d33043fa250767dc60f17af7c26635f7236b

SHA256
7a21678faf837ff528de0761c2961f27e904c4f00ed37fb79bbcf3d57be1bcb2

SHA512
c3e1b6ff8050fac2df095e2f1c60533473403e156c1ba2e13b437bed9ca475762df8c79cc25ef2ffcf303f9003458dbb695ba34d454ebe7b063ffd38bb972a9b

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
39KB

MD5
62738aad3e92405e14f0fd2973240cfa

SHA1
853f4903a691b1893921324b667fb9c435e701ae

SHA256
4900e7f7aecb13da55cf82a3a219ad7bf0f3611e1c966de3731a3588a4be3d0d

SHA512
487adb4ce72a7fa466634f4fa1cbe776b596c8ef63bfe659682952acd7cc7de21e5adaf2b3d2f27fa9b7f01de616ae50ac20e4b640a21d9fe79453b140b43a58

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
39KB

MD5
8cd9cabe45fdc1dc9487894beb029891

SHA1
b434f166ae128262bf5fdce081aa812dda13a0f2

SHA256
15e254fd4ccac9725062fe38f8fc38b791ffcbb14e110ef3f95f8efaec274b8c

SHA512
02b9e58d6b5775c08568dc25618228d6e9251a864606f0be48da4d7d7ddd74af41f06b73e5edae514bc07f6cc82b461e163f8fb9f68f7108e0b597f3c162ee79

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
40KB

MD5
49c08ec1eb7bff0abb79869acbcd7ce6

SHA1
d62755323a0c1898317b96cb47cd41245614653c

SHA256
fab748fdbc28e008a58dddd4a3805e6a52b747a9eb7f72fa8cdfe071fcefcafb

SHA512
4b6e225e33023df3986487880267a9e325c13bb81fe55968ddcbb76e873d29541ea4a0d0813a84414b369050e522ba58fd858dd5343b951f8c12cd1fc8f39e50

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
41KB

MD5
4dd43380f96d6be8b6b8203e9ca45d97

SHA1
d5ac0a59e32f921987469bea808cd9610c9f082a

SHA256
b6b4b2e81ab4a0e35012b946f79cc77c8563f43bfb2099e7d5f5b9a0b31f488a

SHA512
de09fa360d0a8d8cfaac00e7b99157d125b6cbb19c51398b268ea1ac72bcef682df5ab7dc1d7a0d2f560992f20ae6470f57fc420a45dda699e80ecf2c54074ad

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
2KB

MD5
d4fb20e497c136f19339e228b76d879f

SHA1
aaaeecd4a4dfcc3afd0e2ed52948ba5dbe7df683

SHA256
398a8fb69681961ac817d8a42fbada363fcca5c83e1d9b46857c2b5ab7304f53

SHA512
9ccc35fc214cdba4d32a9eabc10f0869065a2bd8195d915476f355c79ad3606ae69abea35a95ec291cc5e3c9bb34e7f6635c17e556e64309026c6c3453cf86a3

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
3KB

MD5
caae6a71287b104b9310ea9e2a48f5c8

SHA1
da0eded0eb19805250e1ccd959422d7baa9bc35c

SHA256
3d3d67faac40e749d6e0f124d966426da13a03b1d13b5d7681494b7106d851da

SHA512
c1d0328ac994b3e5bdc8ca0a555598a668177a2964f71b56f9a252bc92972c7f276ce9501beb9d23c1ef544a40fe05c6542f4efd67c2ff8397e8da1de6bfaf7e

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
4KB

MD5
4ed239b4ed20403cb88aebd18e3950aa

SHA1
c009ae12d5f164f67338dff9a3955da41d28dffe

SHA256
c41e8a64a4de7aed547c74cb6147e30813d65e9427066532d374a51db2394216

SHA512
5617586f8e9ad21402afbcaa202b5a5a39caa31eb5e55066e6279794023fe5239b9c84594f882b5d002dd5b7882a767900fc890122b86ddb358cb9ceae6516fb

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
4KB

MD5
d5941f00db825719a1c5449379c750f3

SHA1
ad85ba0b4b5956944366cbbf96dfbc736378a74f

SHA256
fef719a3128a008f0a81d9232f203db2af18209579767354f5d786788fc03f66

SHA512
5496c793df577f0a38345f11594cdeafb5c08265fe0dba85e9e8eeeb73adb3791c5fcc6129d85dcc125047ccdef1cf011f5607b9fbbc0eb8fed3f8a9098af45b

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
5KB

MD5
3cf2ae9abc34594a8341270767630275

SHA1
f0a47cc2b686a92b30221bcebae1d1c21a2b608d

SHA256
b69d73522d0705693c2cec5bc7176cd7fcc88279d8a42fc80e8dc86d17dcdf4e

SHA512
1bcd8e63460980470369b56c57476bbec54ca8144b892b2759ac5bac6447475c6e50b1fca38b51e6c6b7d8480c9096f61b4da1bd12a4451dde66c9887ea0b146

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
6KB

MD5
11f86b9c1fb15fb96308f03f12c0ba8e

SHA1
ed3f0acf3e433ce93e505b91a0fc721c79cdbf99

SHA256
a7c88acb68782a7a88f39b850a15a4a4835e00711d350b361cdd1a9cf115babd

SHA512
bd716498eb59360a05913f62a242f9326c9353ce8b963e93a53d654a3b758257bcbef1efddcc01a749883e9aac13a694c443e0c089b5c8a1d035c6f0d93f11ff

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
6KB

MD5
411e2fc00ea500a1ef0895ab0ae74e78

SHA1
26643defe9b0860e84d4d7274680a4492e4704fd

SHA256
3a3fe37ff79198487a52684956ca5508ce822712beb4ead726be2749f513d4d9

SHA512
6bf7ebc4c7ce4cc38fb65958323ed9773ded5c5b2e4376608a681d78cddb784e7f57bd64983555fc8a3321a761ce88114bf738700445b5e9da1d0bf416b09f06

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
7KB

MD5
d06178dcd324178ee6d62eafe4a35835

SHA1
93370525d1c84d7e73451c33533bd53caacb715a

SHA256
4056ccbb2775e7402a2fa03191d03be8180e0ac64788012a30d3422075ed0f60

SHA512
d5460a53dbe62ea58811708923b9079b2e28ef7d0289a9b7d7ec58fe814b6e089cdcb5fb1dec818751f5223288a15d5d36dd3004d7f2b040fee25324a42f2828

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
9KB

MD5
9eb404fe1708c66d291041efa71a7ce6

SHA1
4d5568414eb5a64b604c67894085a31d16e54110

SHA256
ca2abc582fc89d2611da43ab6ac9872b29dd80660a3c1e5aed811cf2da85c863

SHA512
f92bbb07e48ae317bdac8fcfe13fdfe7a4342a115785fd17f8be3bd495722e528b65630da4b74d9ca91430e4e098cefde45554fc2aaf02358fb7827c75aaacbe

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
9KB

MD5
c0c4012b9f16c7b0af8226f8a15672f9

SHA1
9a659e90514dd0961c5af721075717735876d5e4

SHA256
68adabc1b15b56533bcb885094dfd6645c73ab0e946e55450bfdb9365e5840b2

SHA512
a98664b10bfd2a0dba6e88dd814f9e08e7014c7a8e4e89241443500d0853857e8118652c1c5aea58bd72eaada6daccc687795a4ec1a443ec66420832c60273f7

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
10KB

MD5
bb3916f2ce560ca89c607a234cd05982

SHA1
a022e1e2f329952f7bdaadb933f215603caf74dc

SHA256
8281e585c3257abf34684fb13846a9952742c34f0f53790c4560f2f25a47113a

SHA512
e9ac60e3bb689bd71eb52118ee0a696f9b03e985e8c38945c32b6f48faa4f392912818626f07eb907667b91801d4cfa74ed06c87b540dc4cae337d2a159fa075

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
10KB

MD5
78e83cf4e95fb5b7fa4a79b01bb49650

SHA1
61b6af2257334e3aad5739e7190fb03f1cf2a3a4

SHA256
2fd601fced8b4d92df1c06e4b42bf80f54a1fbf6f151afd2641cb7d7fe910989

SHA512
4083b95b5376b2098c472d78f7d2b8f2ccca3dbd38ab0098fbd2611fd8078b8dd93e51281920c37642a8abf137a40af17ef97d46dbec28f605f8989ac9f0e7a5

Download Submit
C:\Windows\LMIB4DE.tmp\rescue.log

Filesize
12KB

MD5
2fc685bfb3a9992efe4b460eeabd960e

SHA1
69f62aaa3ce252d5d40c2932c62e3c202d921c06

SHA256
da5e5008167da1171243145849ad2fbad717cab314cc28cd41565500d0150fca

SHA512
3941c5ce1099154f0b2985914138725019cd4fe29f22f14533989de34367503832c1c347254ff63e60477abba91c885cbb7ba7966f5fbc062889bb5aee91d772

Download Submit
\Windows\LMIB4DE.tmp\rahook.dll

Filesize
173KB

MD5
6c26dc7a54ba4134ecd81cebe159077b

SHA1
509250d4ab362377129db293bf5d2baa895c5402

SHA256
392871cd6e398ab32889ea5f9b09c8f74f7a2f48679e905d590d418c02e79d70

SHA512
b26bcdb1264a7561a77c6315ca2dbfa48442f7428669c67f6db3ab85633f8114a63f672506a4cb58734ae582cd9afa72cc8822ecaadcabd75ef1569122325672

Download Submit